A look at the Trustwave Cyber Crime report

There are lots of lessons for the security industry in the Wikileaks case, including learning how to talk past each other.

Back in the dark ages when I was a programmer, I became horribly fascinated with a tool called make. It was a tool for dealing with the complexities of, well, making finished executable code.

As you know, Facebook recently overhauled its privacy controls -- or, well, overhauled the user interface to them. Upshot: Get over the privacy thing. But is that really what we want?

I had a chance to fly rather close to Iceland's Eyjafjallajokull volcano last week. On a flight back from Frankfurt, the pilot somehow got permission to divert from the scheduled flight path as we crossed Iceland to give us a closer look of the volcano.

It's been interesting to see how the failed bombing in New York's Times Square has been sifted for "lessons."

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.

A new set of vulnerabilities came to light this week at Black Hat DC, and its appearance provides a good look at our bleak "next-gen" security future.

We just released the October issue of the CSI Alert to CSI members, and this month we focus on Windows 7. This issue is, in some ways, a follow-up to last year's issue, "The Fate of the Secure OS," in which I said some nice things about Windows Vista, and advised it would be imprudent to completely ignore Windows Vista -- eyes-closed, fingers-in-ears, chanting I'm-not-listening-I'm-not-listening.

Imagine a world in which you can do all manner of smooth, rich, user-friendly online commerce with mighty security. You can have complete faith in the validity of customers' login credentials and payment data (thereby reducing fraud costs, for starters). You can protect users' privacy...and never need to worry about securely storing -- or even seeing -- customers' credit card data or other legally protected personally identifiable information. Wait 12 to 18 months, and you might just have that.

Social networks really do bring people together, don't they? Old friends. Long-lost relatives. Bots and bot-herders. Warms the heart.

When I arrived in Las Vegas, I already smoldered and grumbled about the facts that online trust mechanisms are untrustworthy, and that browsers' fundamental weaknesses persist despite the fact that better browsers would make an incalculable impact on overall Web security. Yesterday's sessions simply added more kindling to the fire.

The rumor here is that the attacks did indeed happen, but the significance of it is actually quite small--not worth paying attention to, since attention is clearly what the attackers are seeking. More info to come... BlackHat, Kinda: Yesterday a hacking group released details (http://r00tsecurity.org/files/zf05.txt) of a number of successful attacks they conducted, apparently with the principal purpose of embarrassing some of the security industry's most well-known experts. The group claims that they collected about 75,000 passwords, including those of a few security experts speaking at the BlackHat Briefings today and tomorrow. "Welcome one and all to the real Black Hat Briefings," reads the site. "Live from the underground, coming right at you free of charge."

We've been saying for a while now that better identity management -- more so than secure Web app coding or even more secure browsers -- could fuel a quantum leap in Web security. The "Identity 2.0" community can be credited with wonderful research and truly significant advancements in identity management technology. In many ways, we're poised for an identity revolution. However, the efforts have been hampered by a lack of public awareness, a lack of interoperable standards, usability concerns, and a fundamental chicken/egg problem.

I just took a close look at the Article 29 Data Protection Working Party's opinion report on online social networking. While some of its recommendations are what you'd expect, others came as a surprise.

Citizens of the Information Security Nation, to you I say Classify and inventory your data and assets! Tedium? Odium? Delirium? Yes, probably all three. But worth the trouble.

Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions, will discuss the results of the company's "2009 Verizon Business Data Breach Investigations Report" (DBIR) at CSI SX: Security Exchange, taking place May 17-21 in Las Vegas.

Want a case study on the slings and arrows of outrageous SIEM implementation? Sure you do. (Really. You do. Trust me on this one.)

I've been talking quite a bit about whether or not (not) users of cloud services can prove compliance with security, privacy, and e-discovery laws. Now a story from The Register has me thinking about yet another issue -- the inescapable question of a service provider's financial stability.

Yesterday Nick Reynolds of the BBC directed me, as well as many other writers, to the BBC's official response to allegations that its technology show, Click, violated the U.K.'s Computer Misuse Act when it purchased and used a botnet as part of an investigative report into cybercrime.

Saturday, "Click"--"the BBC's flagship technology programme"--broadcast an investigative report on cybercrime. The exciting thing about this particular program is that they purchased and used a botnet as part of their investigation. The creators of the program are under the impression that their experiment was perfectly legal, because they had no criminal intent. They are mistaken.

Today I saw two fraudulent charges on my bank account, and a few weeks ago I accidentally wiped off all of the data from my BlackBerry. Why? Because I love too much.

Note to Web browsers: With great power comes great responsibility.

Maybe I'm stretching a bit, but let's say that operating system developers slimmed down their standard OSes enough so that eventually they'd be skinny enough to have a career in fashion and, more important, run on mobile devices. And, if so, would this be a good thing for mobile device security?

The Estonian Parliament has passed a law that will allow citizens to vote via cell phone by 2011. In the past, Estonians were able to cast their votes over the Internet, which apparently worked seamlessly despite security concerns. (See Sara Peters' coverage of e-voting in Estonia in the November 2005 Alert, Academic Group Publishes Criticisms of e-Voting; membership required.)